import os
import seccomp

class Sandbox:
    def __enter__(self):
        # 限制系统调用
        filter = seccomp.SyscallFilter(defaction=seccomp.KILL)
        filter.add_rule(seccomp.ALLOW, "read")
        filter.add_rule(seccomp.ALLOW, "write")
        filter.add_rule(seccomp.ALLOW, "open")
        filter.load()
        
        # 限制文件系统访问
        os.chroot("/var/lib/mirror-tool/sandbox")
        os.chdir("/")
        
    def __exit__(self, *args):
        os.chroot("..")  # 退出沙盒